Your message dated Sat, 31 Jan 2026 16:34:22 +0000
with message-id <[email protected]>
and subject line Bug#1126697: fixed in expat 2.7.4-1
has caused the Debian Bug report #1126697,
regarding expat: CVE-2026-25210
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126697
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.7.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for expat.
CVE-2026-25210[0]:
| In libexpat before 2.7.4, the doContent function does not properly
| determine the buffer size bufSize because there is no integer
| overflow check for tag buffer reallocation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25210
https://www.cve.org/CVERecord?id=CVE-2026-25210
[1]
https://github.com/libexpat/libexpat/commit/7ddea353ad3795f7222441274d4d9a155b523cba
https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9
https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.7.4-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 31 Jan 2026 15:29:44 +0100
Source: expat
Architecture: source
Version: 2.7.4-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1126697
Changes:
expat (2.7.4-1) unstable; urgency=high
.
* New upstream release:
- fixes CVE-2026-25210: integer overflow check for tag buffer
reallocation (closes: #1126697),
- no longer ships expat.m4 file.
* Update watch file.
Checksums-Sha1:
8803468b44a962f9669f7c528f27920a041b82e6 1970 expat_2.7.4-1.dsc
6c02e9c2b37fbc0d8f4ca098d45a04f2cc5cd453 8448897 expat_2.7.4.orig.tar.gz
195e0a7dd2cf57dfcf08734a03b4008eeb03184d 13420 expat_2.7.4-1.debian.tar.xz
Checksums-Sha256:
2b8d94bbc4e830fb7268be91ff18dc24cfdc88608399311af85737cf360da3a0 1970
expat_2.7.4-1.dsc
5b356795b889d3e5b379433ece069b8781bf0727f6959ad3bbc9da0c22164f59 8448897
expat_2.7.4.orig.tar.gz
d58d2cb39825e385b7063eca491ce1b34299b047bce45d9ef0b42666a289a9b0 13420
expat_2.7.4-1.debian.tar.xz
Files:
a9548a8e7e02d1e88484cabdd7b54cf2 1970 text optional expat_2.7.4-1.dsc
25bf9b1985a674b0562dd2d789074e16 8448897 text optional expat_2.7.4.orig.tar.gz
383344a9b3385db668f2a6647f81fd4b 13420 text optional
expat_2.7.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAml+KqwACgkQ3OMQ54ZM
yL+vTRAAgxfRtRUhMZ+8MyjRhgDshIOdi2ZQyu+Crg+1g7SIE8A3bA8cxI6iBCTi
gRzEmAejR7MHJUkcvGsx1sd5axd/u74AP2/6o6aq91pIC7xTiy5U+4rEnYnrpvis
VWbGBsPdHjwh0TSSpXh1BgLdcG/YOGe/BsivU+pzfhV8AcOOiE5wlH/L96JfGAsa
46sroUVjLtA/KcYR5GrOzRJWv2VDoWutYlFKMd5w0Nz7Rgl/Ovk7+J0qbepqzLBN
mUNHMVOKOJLTct9riA/8reSoS4A7mH2IuDXzOfX2c3CSFfZMWr13085KQhHWUpgj
eh+iravQFtbMVCO2b5EbAStWNS5tr4tSAZzCrbnIWAORCQXk0DqDl2pwVcrR3wm3
Xoe+4mB+wphD0aXWnwrUvGdqnWtOrq3+7GeAjSigescgunlrs9hDCX9FVB4GkAbz
4O7hk1bI++8N3qKmv/F1rsR/FdLba8l2SMK0b0icoqRlSQlDyN9rNPVpuvvy2hcW
yOm/YFeyUijNHYdqE8m28/0uIXg7LzJmOIxEgG6djmwzrsq68mVms84Q9MJhqoQk
kAOzt2r8v3ugGd4Hkfx18LzPLKZ7WtUUGxY1lN5e5zbNTK/Dh+R9SCNhQBZyQe9O
gfQDreXWNEil9Qyi6NNNwB9Y2rwTLBYi9G3/ubXCV1xYIsVdLPU=
=E+As
-----END PGP SIGNATURE-----
pgpSFAXn9s8yG.pgp
Description: PGP signature
--- End Message ---
